Fix Vary header for CORS

Oops, we added behavior that varies the CORS response headers according to the incoming `Origin` header, but we forgot to add `Vary: Origin`!

This doesn't cause an issue for the app when you make requests to the server directly, but since it's behind a Fastly cache layer, we ended up caching responses that didn't include CORS headers but should have.

Now, this will instruct the Fastly cache to treat requests with different `Origin` headers as being entirely different. (This means we won't be sharing caches between requests from impress-2020 and the Rails app anymore, but that should be okay in practice!)
This commit is contained in:
Emi Matchu 2023-10-12 14:58:26 -07:00
parent e31a79e793
commit a14bc9bebd

View file

@ -11,4 +11,17 @@ export function applyCORSHeaders(req, res) {
res.setHeader("Access-Control-Allow-Methods", "*");
res.setHeader("Access-Control-Allow-Headers", "*");
}
// Add "Origin" to the `Vary` header, so caches know that the incoming Origin
// header can change the response (specifically, the CORS response headers).
//
// NOTE: In this app, I don't expect "Vary: *" to ever be set. But we try to
// be robust about it, just in case! (Adding instead of overwriting *does*
// matter for the GraphQL endpoint, which sets "Vary: Accept-Encoding".)
const varyContent = res.getHeader("Vary");
if (varyContent !== "*") {
const varyValues = varyContent ? varyContent.split(/,\s*/) : [];
varyValues.push("Origin");
res.setHeader("Vary", varyValues.join(", "));
}
}